British Airways and Marriott Face Hundreds of Millions in Fines

for GDPR Violations

​

■ ■ ■  July 11, 2019

​

​

Early this week, the United Kingdom (U.K.)'s Information Commissioner's Office (ICO) published two statements regarding its issuance of notices of its intention to fine British Airways £183.39 million (or $230 million) and to fine Marriott International £99.2 million (or $123 million) for infringement of the General Data Protection Regulation (GDPR).

 

British Airways (BA):

​

In September 2018, BA notified the ICO of a cybersecurity incident which is believed to have begun in June 2018 and which exposed personal data of nearly 500,000 customers to cyber attackers. The attackers used a fraudulent site to harvest customers' data including log in, payment card, travel booking details, name and address information.

 

After being notified, the ICO conducted an investigation and concluded that BA had "poor security arrangements", which may have exposed customers' personal data.

 

The fine, which would be the largest one under GDPR so far, is around 1.5% of BA's annual revenue for the financial year that ended December 31, 2017. It is noteworthy that the fine could go up to 4% of the company's revenue. BA has already announced the probable penalty to the London Stock Exchange; however, the company's top executives have expressed "surprise and disappointment" with the fine and that BA will appeal from the notice of penalty, arguing that the company provided timely notification of the breach and that it cooperated with the ICO to assess the issue.

 

Information Commissioner Elizabeth Denham said that "people's personal data is just that - personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

           

Marriott International (Marriott):

​

In November 2018, Marriott disclosed that hackers had access to the reservation systems of many of its hotel chains for 4 years, which exposed personal data of approximately 339 million guests, of which around 30 million were residents of 31 countries in the European Economic Area (EEA), including 7 million in the U.K.

 

The personal data collected included names, addresses, credit card numbers, phone numbers, passport numbers, travel locations, and arrival/departure dates.

 

The ICO conducted an extensive investigation and confirmed that the cyber vulnerability started in 2014 within the systems of Marriott's subsidiary Starwood Hotels Group, which Marriott acquired in 2016. However, Marriott did not discover the vulnerability until September 2018 when an internal security tool flagged the unauthorized party's activity. Given the hackers' efforts to encrypt and/or remove data, Marriott was unable to decrypt the information until late November.

 

In its statement this week, after Marriott disclosed the possible fine in a filing with the U.S. Securities and Exchange Commission (SEC), the ICO also declared that it found that "Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems." On the other hand, the ICO recognized that Marriott has cooperated with the ICO's investigation and has made improvements to its security arrangements.

 

With increasing enforcement of data protection laws by regulators such as the ICO and additional scrutiny by the SEC, FTC and other regulators involving cyberattacks and disclosures, it has become critical for companies to establish or enhance their Privacy and Data Protection Compliance Programs. MDO Partners encourages companies to conduct cybersecurity risk assessments, conduct pre-acquisition due diligence for data protection compliance, adopt robust privacy policies, enhance disclosure controls and adopt cyberattack investigation procedures to help mitigate the risks associated with cyberattacks and data breaches. Our attorneys and advisors have experience advising clients on the relevant privacy matters and cybersecurity measures that should be taken to establish and maintain an effective Privacy and Data Protection Compliance Program.

​

About MDO Partners

​

MDO Partners is a boutique law firm that focuses on Corporate, International, and Real Estate Law, as well as Global Compliance and Business Ethics. The firm is comprised of a solid team of attorneys and advisors with more than 100 years of combined experience who are committed to the business goals and best interests of their clients. The firm delivers value-added services of the highest caliber, and serves as a trusted advisor to its clients with a practical and business-savvy approach. For more information on MDO Partners, please visit www.mdopartners.com

​

If you have questions or comments regarding this Alert, please contact the attorney or advisor listed below.

​

Richard Montes de Oca

Managing Partner

305.704.8452

rmontes@mdopartners.com

 

​